b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report\n\nSubject:\n\n\n  AUDIT OF THE INFORMATION TECHNOLOGY\n          SECURITY CONTROLS OF THE\n  U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\n  BENEFEDS AND FEDERAL LONG TERM CARE\n        INSURANCE PROGRAM SYSTEMS\n                    FY 2014\n                                           Report No. 4A-RI-00-14-036\n\n                                                                   August 19, 2014\n                                           Date:\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n                              U.S. OFFICE OF PERSONNEL MANAGEMENT\n                               -------------------------------------------------------------\n              AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n           CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\n              BENEFEDS AND FEDERAL LONG TERM CARE INSURANCE\n                              PROGRAM SYSTEMS\n                                        FY 2014\n                             --------------------------------\n                               WASHINGTON, D.C.\n\n\n\n\n                                          Report No. 4A-RI-00-14-036\n\n\n                                          Date:                    August 19, 2014\n\n\n\n\n                                                                                     Michael R. Esser\n                                                                                     Assistant Inspector General\n                                                                                       for Audits\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                    Executive Summary\n\n                   U.S. OFFICE OF PERSONNEL MANAGEMENT\n                    -------------------------------------------------------------\n        AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n     CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\n        BENEFEDS AND FEDERAL LONG TERM CARE INSURANCE\n                        PROGRAM SYSTEMS\n                                  FY 2014\n                       --------------------------------\n                         WASHINGTON, D.C.\n\n\n\n\n                               Report No. 4A-RI-00-14-036\n\n\n                                                   August 19, 2014\n                               Date:\n\nThis final audit report discusses the results of our audit of the information technology security\ncontrols of the U.S. Office of Personnel Management\xe2\x80\x99s (OPM) BENEFEDS and Federal Long\nTerm Care Insurance Program (FLTCIP) information systems. Our conclusions are detailed in\nthe \xe2\x80\x9cResults\xe2\x80\x9d section of this report.\n\nSecurity Assessment and Authorization (SA&A)\nSA&A\xe2\x80\x99s were completed for BENEFEDS and FLTCIP in March 2013. We reviewed the\nauthorization package for all required elements of an SA&A, and determined that both SA&As\nappear to have been conducted in compliance with National Institute of Standard and\nTechnology (NIST) requirements.\n\nFederal Information Processing Standards (FIPS) 199 Analysis\nThe security categorization of both the BENEFEDS and FLTCIP systems appears to be\nconsistent with FIPS 199 and NIST Special Publication (SP) 800-60 requirements, and we agree\nwith the categorization of \xe2\x80\x9cmoderate.\xe2\x80\x9d\n\n\n                                                    i\n\x0cSystem Security Plan (SSP)\nWe reviewed the BENEFEDS and FLTCIP SSPs and determined they adequately address each\nof the elements suggested by NIST.\n\nSecurity Assessment Plan and Report\nA security control assessment plan and report was completed for BENEFEDS and FLTCIP in\nJuly 2012 as a part of each system\xe2\x80\x99s SA&A.\n\nSecurity Control Self-Assessment\nWe were provided with evidence that a security controls test was conducted in 2013 by an\nindependent third-party. However, we are unable to verify that the assessment was conducted in\naccordance with OPM policy.\n\nContingency Planning and Contingency Plan Testing\nThe contingency plans for both BENEFEDS and FLTCIP closely follow the format suggested by\nNIST SP 800-34 Revision 1, and both systems have been tested in accordance with the published\nguidance.\n\nPrivacy Impact Assessment (PIA)\nA privacy threshold analysis was completed for BENEFEDS and FLTCIP and determined that a\nPIA was required. A PIA was conducted in February 2013.\n\nPlan of Action and Milestones (POA&M) Process\nThe BENEFEDS and FLTCIP POA&Ms follow the format of the OPM POA&M guide, and\nhave been routinely submitted to the Office of the Chief Information Officer for evaluation.\n\nNIST SP 800-53 Revision 3 Evaluation\nWe evaluated the degree to which a subset of the IT security controls outlined in NIST SP 800-\n53 Revision 3 was implemented for the BENEFEDS and FLTCIP systems. We determined that\nseveral controls could be improved.\n\n\n\n\n                                               ii\n\x0c                                                                 Contents\n                                                                                                                                               Page\n\nExecutive Summary ......................................................................................................................... i\nIntroduction ......................................................................................................................................1\nBackground ......................................................................................................................................1\nObjectives ........................................................................................................................................1\nScope and Methodology ..................................................................................................................2\nCompliance with Laws and Regulations..........................................................................................3\nResults ..............................................................................................................................................4\n         I. Security Assessment and Authorization ............................................................................4\n        II. FIPS 199 Analysis .............................................................................................................4\n       III. System Security Plan ........................................................................................................4\n      IV. Security Assessment Plan and Report ...............................................................................5\n        V. Security Control Self-Assessment .....................................................................................5\n      VI. Contingency Planning and Contingency Plan Testing ......................................................6\n     VII. Privacy Impact Assessment ...............................................................................................6\n   VIII. Plan of Action and Milestones Process .............................................................................6\n      IX. NIST SP 800-53 Revision 3 Evaluation ............................................................................7\nMajor Contributors to this Report ..................................................................................................11\nAppendix: Healthcare and Insurance\xe2\x80\x99s July 30, 2014 response to the draft audit report, issued\n          June 25, 2014\n\x0c                                       Introduction\nOn December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107-347),\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency\nreporting to the Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we audited the information technology (IT)\nsecurity controls related to the Office of Personnel Management\xe2\x80\x99s (OPM) BENEFEDS and\nFederal Long Term Care Insurance Program (FLTCIP) information systems.\n\n                                       Background\nBENEFEDS and FLTCIP are two of OPM\xe2\x80\x99s critical IT systems. As such, FISMA requires that\nthe Office of the Inspector General (OIG) perform audits of IT security controls for these\nsystems, as well as all of the agency\xe2\x80\x99s systems, on a rotating basis.\n\nThe BENEFEDS and FLTCIP systems are both owned by OPM\xe2\x80\x99s Healthcare and Insurance\nOffice (HI) and operated by a contractor, the Long Term Care Partners (LTCP) organization,\nlocated in Portsmouth, New Hampshire. The systems operate independently, but share many\noperational and security controls. Therefore, we have combined our audit findings into one\nreport, noting any relevant differences in the appropriate sections.\n\nThis was our first audit of the security controls surrounding BENEFEDS and FLTCIP. We\ndiscussed the results of our audit with OPM and LTCP representatives at an exit conference.\n\n                                        Objectives\nOur objective was to perform an evaluation of the systems\xe2\x80\x99 security controls to ensure that OPM\nand LTCP officials have implemented IT security policies and procedures in accordance with\nstandards established by FISMA, the National Institute of Standards and Technology (NIST), the\nFederal Information System Controls Audit Manual (FISCAM) and OPM\xe2\x80\x99s Office of the Chief\nInformation Officer (OCIO).\n\nOPM\xe2\x80\x99s IT security policies require managers of all major information systems to complete a\nseries of steps to (1) certify that their system\xe2\x80\x99s information is adequately protected and (2)\nauthorize the system for operations. The audit objective was accomplished by reviewing the\ndegree to which a variety of security program elements have been implemented for BENEFEDS\nand FLTCIP, including:\n\xe2\x80\xa2   Security Assessment and Authorization;\n\xe2\x80\xa2   FIPS 199 Analysis;\n\xe2\x80\xa2   System Security Plan;\n\xe2\x80\xa2   Security Assessment Plan and Report;\n\xe2\x80\xa2   Security Control Self-Assessment;\n\xe2\x80\xa2   Contingency Planning and Contingency Plan Testing;\n\xe2\x80\xa2   Privacy Impact Assessment;\n\n                                               1\n\x0c\xe2\x80\xa2   Plan of Action and Milestones Process; and\n\xe2\x80\xa2   NIST Special Publication (SP) 800-53 Security Controls.\n\n                                Scope and Methodology\nThis performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of officials\nresponsible for the BENEFEDS and FLTCIP systems, including IT security controls in place as\nof June 2014.\n\nWe considered the systems\xe2\x80\x99 internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objective, we interviewed representatives of LTCP and individuals at OPM\nwith BENEFEDS and FLTCIP security responsibilities. We reviewed relevant OPM IT policies\nand procedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate,\nwe conducted compliance tests to determine the extent to which established controls and\nprocedures are functioning as required.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of\nBENEFEDS and FLTCIP are located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report. Since our audit\nwould not necessarily disclose all significant matters in the internal control structure, we do not\nexpress an opinion on the systems\xe2\x80\x99 internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\xe2\x80\xa2   OPM Information Technology Security Policy Volumes 1 and 2;\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xe2\x80\xa2   The Federal Information System Controls Audit Manual;\n\xe2\x80\xa2   NIST SP 800-12, An Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;\n\xe2\x80\xa2   NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;\n\xe2\x80\xa2   NIST SP 800-37 Revision 1, Guide for Applying Management Framework to Federal\n    Information Systems;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems and Organizations;\n\xe2\x80\xa2   NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories;\n\n\n\n                                                 2\n\x0c\xe2\x80\xa2   NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and\n    Capabilities;\n\xe2\x80\xa2   Federal Information Processing Standards Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems; and\n\xe2\x80\xa2   Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. This audit was conducted from January 2014\nthrough March 2014 in OPM\xe2\x80\x99s Washington, D.C. office. This was our first audit of the security\ncontrols surrounding BENEFEDS and FLTCIP.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether HI and LTCP\xe2\x80\x99s management of\nBENEFEDS and FLCIP is consistent with applicable standards. Nothing came to our attention\nduring this review to indicate that HI and LTCP are in violation of relevant laws and regulations.\n\n\n\n\n                                                3\n\x0c                                                        Results\n I. Security Assessment and Authorization\n    The Security Assessment and Authorizations (SA&As) of BENEFEDS and FLTCIP were\n    completed in March 2013.\n\n    OPM\xe2\x80\x99s Chief Information Security Officer reviewed the SA&A packages and signed both\n    systems\xe2\x80\x99 authorization letters on March 1, 2013. The systems\xe2\x80\x99 authorizing official signed the\n    letters and authorized the continued operation for the systems on March 4, 2013.\n\n    NIST SP 800-37 Revision 1 \xe2\x80\x9cGuide for Applying Management Framework to Federal\n    Information Systems,\xe2\x80\x9d provides guidance to federal agencies in meeting security accreditation\n    requirements. Both SA&As appear to have been conducted in compliance with NIST\n    requirements.\n\nII. FIPS 199 Analysis\n    Federal Information Processing Standards (FIPS) Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems, requires federal agencies to\n    categorize all federal information and information systems in order to provide appropriate levels\n    of information security according to a range of risk levels.\n\n    NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems\n    to Security Categories, provides an overview of the security objectives and impact levels\n    identified in FIPS Publication 199.\n\n    These documents provide guidance for analyzing information processed by the system and its\n    corresponding potential impacts on confidentiality, integrity, and availability. Both the\n    BENEFEDS and FLTCIP systems are categorized as a moderate impact level for confidentiality,\n    integrity, and availability, resulting in an overall categorization of \xe2\x80\x9cmoderate.\xe2\x80\x9d\n\n    The security categorization of both systems appears to be consistent with FIPS 199 and NIST SP\n    800-60 requirements, and we agree with the categorization of \xe2\x80\x9cmoderate.\xe2\x80\x9d\n\nIII. System Security Plan\n    Federal agencies must implement on each information system the security controls outlined in\n    NIST SP 800-53 Revision 3 1, Recommended Security Controls for Federal Information Systems\n    and Organizations. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for\n    Federal Information Systems, requires that these controls be documented in a System Security\n    Plan (SSP) for each system, and provides guidance for doing so.\n\n\n\n\n    1\n     Revision 4 to NIST SP 800-53 was released in April 2013. OPM allows systems one year to implement the\n    controls for the new revision. NIST SP 800-53 controls testing took place in March 2014 for this audit; therefore\n    Revision 3 was used as criteria.\n\n                                                             4\n\x0c    The SSPs for BENEFEDS and FLTCIP were created using the template outlined in NIST SP\n    800-18 Revision 1. We reviewed the BENEFEDS and FLTCIP SSPs and determined they\n    adequately address each of the elements suggested by NIST.\n\nIV. Security Assessment Plan and Report\n    Security Assessment Plans (SAP) were completed for BENEFEDS and FLTCIP in July 2012 as\n    a part of the systems\xe2\x80\x99 SA&A process. Security Assessment Reports (SAR) were also completed\n    for each system in February 2013. The SAPs and SARs were conducted by a contractor that was\n    operating independently from HI and LTCP. We reviewed these documents to verify that a risk\n    assessment was conducted in accordance with NIST SP 800-30 Revision 1, Guide for\n    Conducting Risk Assessments. We also verified that appropriate management, operational, and\n    technical controls were tested for a system with a \xe2\x80\x9cmoderate\xe2\x80\x9d security categorization.\n\n    The SAPs outlined the assessment approach for each system. The SAR for BENEFEDS\n    identified 14 total weaknesses that were discovered as a result of the assessment; 12 of those\n    weaknesses have since been remediated. The SAR for FLTCIP identified 7 total weaknesses, 5\n    of which have since been remediated. All weaknesses were added to the BENEFEDS and\n    FLTCIP combined Plan of Action & Milestones (POA&M) document. A risk rating was applied\n    to each weakness to determine the potential impact of exploitation.\n\n    Nothing came to our attention to indicate that the security controls of BENEFEDS and FLTCIP\n    have not been adequately tested by an independent source.\n\nV. Security Control Self-Assessment\n    OPM requires that the IT security controls of each contractor-operated application be tested on\n    an annual basis. In the years that an independent assessment is not being conducted on a system\n    as part of an SA&A, the system\xe2\x80\x99s owner must ensure that annual controls testing is performed by\n    a government employee or an independent third party.\n\n    LTCP provided us with evidence that a security controls test was conducted in 2013 by an\n    independent third-party. The assessment included a review of some relevant security controls\n    outlined in NIST SP 800-53 Revision 3. However, the tests results were not submitted to the\n    OCIO on the standard template. Furthermore, the documentation provided did not clearly\n    identify which NIST controls were tested. Although it is evident that some security control test\n    work was conducted, we are unable to verify that one-third of the NIST SP 800-53 Revision 3\n    controls were adequately tested, as required by OPM policy.\n\n    Recommendation 1\n    We recommend that HI ensure that annual security control testing is conducted in accordance\n    with OPM policy and that the test results are submitted using the template created by the OCIO.\n\n    HI Response:\n    \xe2\x80\x9cThe management of the BENEFEDS/FLTCIP systems concurs with each of the\n    recommendations in the Draft audit and has identified a corrective action plan to address\n    those audit findings determined to be unresolved as of the date of the OIG report.\xe2\x80\x9d\n\n                                                    5\n\x0c      OIG Reply:\n      As part of the audit resolution process, we recommend that the HI provide Internal Oversight and\n      Compliance with evidence that it has adequately implemented this recommendation. This\n      statement also applies to all subsequent recommendations, as the HI response above addresses all\n      of the recommendations in the audit report.\n\n VI. Contingency Planning and Contingency Plan Testing\n      NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems and\n      Organizations, states that effective contingency planning, execution, and testing are essential to\n      mitigate the risk of system and service unavailability. OPM\xe2\x80\x99s security policies require all major\n      applications to have viable and logical disaster recovery and contingency plans, and that these\n      plans be annually reviewed, tested, and updated.\n\n      Contingency Plan\n      The BENEFEDS and FLTCIP contingency plans document the functions, operations, and\n      resources necessary to restore and resume system operations when unexpected events or disasters\n      occur. Both contingency plans closely follow the format suggested by NIST SP 800-34 Revision\n      1, and contain a majority of the required elements.\n\n      Contingency Plan Test\n      NIST SP 800-34 Revision 1 provides guidance for testing contingency plans and documenting\n      the results. Contingency plan testing is a critical element of a viable disaster recovery capability.\n\n      A tabletop and failover test was conducted for the BENEFEDS and FLTCIP systems by LTCP\n      officials in August 2013. The exercise tested the communication and coordination between the\n      LTCP staff and the contracted backup site personnel. The testing documentation contained an\n      analysis and review of the results. We reviewed the testing documentation and determined that\n      the tests conformed to NIST 800-34 Revision 1 guidelines.\n\nVII. Privacy Impact Assessment\n      The E-Government Act of 2002 requires agencies to perform a screening of federal information\n      systems to determine if a Privacy Impact Assessment (PIA) is required for that system. OMB\n      Memorandum M-03-22 outlines the necessary components of a PIA. The purpose of the\n      assessment is to evaluate any vulnerabilities of privacy in information systems and to document\n      any privacy issues that have been identified and addressed.\n\n      LTCP completed a Privacy Threshold Analysis of the BENEFEDS and FLTCIP systems and\n      determined that a PIA was required. PIAs were completed for both systems in February 2013\n      and approved by the system owner and Chief Information Officer.\n\nVIII. Plan of Action and Milestones Process\n      A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring\n      the progress of corrective efforts for IT security weaknesses. OPM has implemented an agency-\n\n\n                                                        6\n\x0c    wide POA&M process to help track known IT security weaknesses associated with the agency\xe2\x80\x99s\n    information systems.\n\n    We evaluated the BENEFEDS and FLTCIP POA&Ms and verified that they follow the format of\n    OPM\xe2\x80\x99s standard template and have been loaded into Trusted Agent, the OCIO\xe2\x80\x99s POA&M\n    tracking tool, for evaluation. Nothing came to our attention to indicate that there are any current\n    weaknesses in the management of the POA&Ms for those systems.\n\nIX. NIST SP 800-53 Revision 3 Evaluation\n    NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems\n    and Organizations, provides guidance for implementing a variety of security controls for\n    information systems supporting the federal government. As part of this audit, we evaluated\n    whether a subset of these controls had been implemented for BENEFEDS and FLTCIP. We\n    tested approximately 62 security controls outlined in NIST SP 800-53 Revision 3. We tested one\n    or more controls from each of the following control families:\n    \xe2\x80\xa2   Access Control                               \xe2\x80\xa2   Incident Response\n    \xe2\x80\xa2   Awareness and Training                       \xe2\x80\xa2   Media Storage\n    \xe2\x80\xa2   Audit and Accountability                     \xe2\x80\xa2   Planning\n    \xe2\x80\xa2   Security Assessment and Authorization        \xe2\x80\xa2   Risk Assessment\n    \xe2\x80\xa2   Configuration Management                     \xe2\x80\xa2   System and Services Acquisition\n    \xe2\x80\xa2   Contingency Planning                         \xe2\x80\xa2   System and Communication Protection\n    \xe2\x80\xa2   Identification and Authorization             \xe2\x80\xa2   System and Information Integrity\n\n    These controls were evaluated by interviewing individuals with BENEFEDS and FLTCIP\n    security responsibilities, reviewing documentation and system screenshots, viewing\n    demonstrations of system capabilities, and conducting tests directly on the system.\n\n    We determined that all tested security controls appear to be in compliance with NIST SP 800-53\n    Revision 3 requirements, with the following exceptions:\n\n    1. Control AC-5 \xe2\x80\x93 Separation of Duties\n        LTCP does not maintain a documented policy or security matrix to outline the required\n        segregation of duties related to the user roles in the BENEFEDS and FLTCIP systems.\n\n        NIST SP 800-53 Revision 3 states that organizations should separate duties of individuals as\n        necessary, to prevent malevolent activity without collusion, document separation of duties,\n        and implement separation of duties through assigned information system access\n        authorizations. Failure to ensure separation of duties increases the risk that the application\n        users could make unauthorized or malicious changes to the application.\n\n        Recommendation 2\n        We recommend that HI ensure that a policy is developed to establish proper segregation of\n        duties within BENEFEDS and FLTCIP.\n\n                                                     7\n\x0c   Recommendation 3\n   We recommend that HI ensure that a routine audit of user accounts is conducted to verify\n   compliance with the segregation of duties policy.\n\n2. Control CM-2 Baseline Configuration\n   LTCP has not documented baseline configurations for server operating systems. We were\n   provided documentation indicating that a project is in place to establish baseline security\n   configurations, but the process is not complete.\n\n   NIST SP 800-53 Revision 3 states that organizations should develop, document, and\n   maintain a current baseline configuration of the information system. Failure to establish\n   approved system configuration settings increases the risk that the systems may not meet\n   performance and security requirements defined by the organization.\n\n   Recommendation 4\n   We recommend that HI ensure that LTCP documents approved security configuration\n   settings/baselines for all operating systems used to support the BENEFEDS and FLTCIP\n   systems.\n\n3. Control CM-6 \xe2\x80\x93 Configuration Settings\n   LTCP does not conduct routine configuration compliance auditing. As mentioned above,\n   LTCP does not maintain approved server configurations, and therefore cannot effectively\n   audit security settings (i.e., there are no approved settings to which to compare the actual\n   settings).\n\n   NIST SP 800-53 Revision 3 states that the organization should monitor and control changes\n   to configuration settings in accordance with organizational policies and procedures. Failure\n   to implement a thorough configuration compliance auditing program increases the risk that\n   insecurely configured servers remain undetected, creating a potential gateway for malicious\n   virus and hacking activity that could lead to data breaches.\n\n   Recommendation 5\n   We recommend that HI ensure that LTCP routinely audits the security configuration settings\n   of its servers using approved baselines.\n\n4. Control PE-3 \xe2\x80\x93 Physical Access Control\n   The physical access controls in LTCP\xe2\x80\x99s data center could be improved.\n\n   The LTCP\xe2\x80\x99s facility uses electronic card readers to control access to the building and data\n   center. However, the data center did not contain general controls that we typically observe at\n   similar facilities, including:\n   \xe2\x80\xa2   Multi-factor authentication to enter the computer room (e.g., cipher lock or biometric\n       device in addition to an access card); and\n\n                                                8\n\x0c   \xe2\x80\xa2 \t Teclmical or physical conu\xc2\xb7ol to detect or prevent piggybacking (e.g., tumstiles, \n\n       piggybacking alanns, two door "man u\xc2\xb7aps," etc.). \n\n\n   Failure to implement adequate physical access controls increases the risk that unauthorized\n   individuals can gain access to LTCP\'s data center and the sensitive resources and data it\n   contains. NIST SP 800-53 Revision 3 provides guidance for adequately conu\xc2\xb7olling physical\n   access to infonnation systems containing sensitive data (see control PE-3, Physical Access\n   Conu\xc2\xb7ol) .\n\n   During the course of the audit multi-factor authentication to the computer room was \n\n   implemented. \n\n\n   Recommendation 6\n   We recommend that HI ensure the improvement of the physical access conu\xc2\xb7ols at the FLTC\n   data center hosting BENEFEDS and FLTCIP by installing additional conu\xc2\xb7ols to prevent\n   piggybacking.\n\n5. \t Control RA-5 -Vulnerability Scanning\n   LTCP conducts monthly vulnerability scans on its network environment. However, we\n   conducted\xc2\xb7                                           ofBENEFEDS and LTCIP servers,\n\n\n\n\n   We were also told that LTCP does not have a process to document or u\xc2\xb7ack patch exceptions\n   (patches that cannot be installed because they would have an adverse effect on existing\n   systems or applications).\n\n   NIST 800-53 Revision 3 states that the organization should scan for vulnerabilities in the\n   infonnation system and hosted applications and remediate legitimate vulnerabilities in\n   accordance with an organization risk assessment. Failure to remediate critical vulnerabilities\n   increases the risk that systems could be hacked and sensitive data could be compromised.\n\n   Recommendation 7\n   We recornmend that HI ensure that LTCP remediate the critical weaknesses identified in our\n   vulnerability scans.\n\n   Recommendation 8 \n\n   We recornmend that HI ensure that LTCP document patch exceptions. \n\n\n6. \t Control SC-7 Boundary Protection\n   LTCP has implemented firewalls to help secure its network environment. However, a\n   firewall hardening policy has not been developed, and there is no routine review of the\n   firewall configuration .\n\n                                                9\n\n\x0cNIST SP 800-53 Revision 3 states that an organization should establish a traffic flow policy\nfor each managed interface, document and review each exception to the traffic flow policy,\nand remove exceptions that are no longer supported by a business need.\n\nFailure to implement a thorough firewall configuration policy and continuously manage the\ndevices\xe2\x80\x99 settings increases the organization\xe2\x80\x99s exposure to insecure traffic and vulnerabilities.\n\nRecommendation 9\nWe recommend that HI ensure that LTCP documents a formal firewall management policy.\n\nRecommendation 10\nWe recommend that HI ensure that LTCP implement a process to conduct routine\nconfiguration reviews on its network firewalls to ensure performance and security\noptimization, as defined by the organizational policies.\n\n\n\n\n                                             10\n\x0c                            Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xe2\x80\xa2                    , Group Chief\n\xe2\x80\xa2               , Lead IT Auditor\n\xe2\x80\xa2                       , Lead IT Auditor\n\xe2\x80\xa2              IT Auditor\n\xe2\x80\xa2               , IT Auditor\n\n\n\n\n                                              11\n\x0c                                                     Appendix\n\n                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                  1900 E Street, NW, Washington, DC 20415\n\nHealthcare and\n  Insurance\n\n\n                                                     June 30, 2014\n\n      MEMORANDUM FOR:\n                                      Chief, Information Systems Audits Group\n                                      Office of the Inspector General\n\n      FROM:\n                                      Deputy Assistant Director, Federal Employee Insurance\n                                      Operations\n                                      BENEFEDS/FLTCIP System Owner\n\n\n      SUBJECT:                        Management Response to Draft Audit of the Information\n                                      Technology Security Controls of the U.S. Office of Personnel\n                                      Management\xe2\x80\x99s BENEFEDS and Federal Long Term Care\n                                      Insurance Program (FLTCIP) Systems (Report No. 4A-RI-00-14-\n                                      036)\n\n      The Office of Personnel Management (OPM) Federal Employee Insurance Operations Program\n      Office and its contractor, Long Term Care Partners, LLC; acknowledge and accept the findings\n      of the Office of Inspector General (OIG) as documented in Report No. 4A-RI-00-14-036 for both\n      the BENEFEDS and Federal Long Term Care Insurance Program (FLTCIP) Systems.\n\n      The management of the BENEFEDS/FLTCIP systems concurs with each of the\n      recommendations in the Draft audit and has identified a corrective action plan to address those\n      audit findings determined to be unresolved as of the date of the OIG report. The plan elements\n      are provided in the attached spreadsheet. The process to identify required resources, identify\n      milestones, respond to the risk (acceptance, transfer, mitigation/remediation), complete planned\n      work, and provide evidence of mitigation/remediation will follow the OPM standard operating\n      procedure for Plan of Actions and Milestones (POA&M) management. Those recommendations\n      outlined in the report that cannot or should not be implemented due to technical limitations,\n      significant negative impacts to performance or service delivery, or other factors will be\n      communicated to OPM Internal Oversight and Compliance and the OPM IT Security and\n      Privacy (ITSP) Office for review and discussion prior to any risk acceptance decision.\n\n      If you have questions about implementation of the POA&M\xe2\x80\x99s, please contact\n      Designated Security Officer, and                .\n\n\n\n\n      www.opm.gov      Recruit, Retain and Honor a World-Class Workforce to Serve the American People   www.usajobs.gov\n\x0c'